As we draw near the close of 2023, we write to highlight some significant data privacy and protection developments from the past year. The landscape of digital rights and data privacy has experienced unprecedented changes, which not only reflect the rapid pace of technological advancements but also the evolving perceptions of personal privacy. These legal shifts have important implications for businesses and individuals alike. Below we summarize the most significant legal developments that will impact most companies as we head into 2024.
- Comprehensive Privacy Laws in Twelve States
Since California’s enactment of the California Consumer Privacy Act (CCPA) in June 2018, eleven states, including Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia, have enacted comprehensive privacy laws. California, Colorado, Connecticut, and Virginia’s laws are in place, with Utah’s law taking effect on December 31, 2023. In 2024, privacy laws in Montana, Oregon, and Texas take effect, followed by laws in Delaware, Iowa, and Tennessee in 2025 and Indiana in 2026.
In addition to these twelve states, at least seven other states including Maine, Massachusetts, New Hampshire, New Jersey, North Carolina, Pennsylvania, and Wisconsin have introduced privacy legislation that is currently pending.
While there is significant overlap between existing privacy laws and pending legislation, each state has its own definition of “covered entities,” including different thresholds triggering applicability, as well as nuances in the requirements for compliance, available exceptions and exemptions, and penalties for non-compliance. Although state specific, these privacy laws will impact operations and have implications for businesses nationwide. It is critical to understand the privacy laws in every jurisdiction in which your business operates.
- The European Commission’s Adequacy Decision on the EU-US Data Privacy Framework
On July 10, 2023, the European Commission recognized the EU-U.S. Data Privacy Framework as having adequate data protection, affording another mechanism for the free flow of data from the European Union to the United States. In addition to standard contractual clauses and binding corporate rules, the EU-U.S. Data Privacy Framework allows for seamless data transfers between the EU and compliant U.S. companies and provides EU individuals with rights concerning their data in the U.S. For grievances related to data misuse by U.S. intelligence agencies, individuals can approach their local data protection authority, which could result in investigations by the U.S. Civil Liberties Protection Officer and potential appeal in the Data Protection Review Court.
- Attorney General Bonta and the California Privacy Protection Agency’s Appeal of Superior Court Decision Delaying Enforcement of CCPA Regulations
On August 4, 2023, California Attorney General Rob Bonta and the California Privacy Protection Agency (CPPA) filed an appeal after a trial judge issued a decision delaying enforcement of the CPPA’s initial set of regulations implementing the California Consumer Rights Act, as amended by the California Privacy Rights Act (CCPA). The trial court’s ruling would delay enforcement by 12 months until March 29, 2024. The appeal of the trial court decision focuses on the need to protect consumer privacy, which the Attorney General argues could be undermined by delayed enforcement. While the appeal is pending, Attorney General Bonta has continued to enforce other CCPA regulations, including conducting sweeps to check compliance among large employers. Especially for all companies conducting business in California, we strongly advise expediting compliance with the CCPA and its implementing regulations particularly considering the sunsetting cure period for CCPA violations and hefty penalties that could be imposed for non-compliance.
- The California Privacy Protection Agency’s Draft Regulations on Cybersecurity Audits
On November 8, 2023, the CPPA released updated draft regulations on cybersecurity audits that could impose stringent cybersecurity measures on covered businesses, including mandatory annual cybersecurity audits. The cybersecurity audits would require companies to evaluate and report on various aspects of their cybersecurity practices, such as multifactor authentication and encryption, in an effort to identify and address any deficiencies. While similar to controls enforced by the U.S. Federal Trade Commission and state attorneys general, the CPPA’s approach seeks to standardize these measures for covered businesses instead of dealing with them on a case-by-case basis. The draft regulations also explore linking cybersecurity strategies directly to reducing consumer harm, which could profoundly enhance cybersecurity effectiveness. We note that these drafts are preliminary and do not signify the commencement of formal rulemaking. Many details, including the threshold for triggering the obligation to perform a cybersecurity audit and the definition of “significant risk,” are yet to be finalized. We expect the release of further regulations following the CPPA’s next board meeting on December 8, 2023..
- The California Delete Act
On October 10, 2023, California Governor Gavin Newsom signed the Delete Act into law, making California the first state to pass a law that allows consumers to have their personal information maintained by data brokers deleted via a centralized database by 2026. The Delete Act, which will go into effect on January 1, 2024, will have significant implications for industries reliant on third-party data, such as targeted advertising and AI, affecting the operations of hundreds of registered data brokers in California. The law mandates the creation of an online deletion system to process consumer deletion requests every 45 days and prohibits the sale or sharing of data once a deletion request is submitted, subject to certain conditions and exemptions. Data brokers are also required to undergo an independent audit every three years starting in 2028 to ensure compliance with the Delete Act and to provide enhanced disclosures during annual registration, including response metrics to consumer requests and information on the type of data they collect. The Delete Act will be enforced by the CPPA and imposes significant penalties for non-compliance, including daily penalties for failure to register or delete information as required.
- The California Privacy Protection Agency’s Complaint Form
On July 14, 2023, the CPPA launched a Complaint Form that allows consumers to submit complaints about possible violations of the California Consumer Privacy Act, as amended by the CCPA. The system, which allows both sworn and unsworn complaint submissions, was launched after a soft opening that received 13 complaints, with the majority being sworn and concerning the misuse of sensitive personal information. The Complaint Form includes a series of six mandatory questions regarding the nature of the complaint and the parties involved, with an optional seventh question for submitting the complaint as a sworn complaint, in which case contact details need to be provided.
- The CFPB Proposed Rule on Financial Data Rights
On October 19, 2023, the Consumer Financial Protection Bureau (CFPB) unveiled a proposed rule on personal financial data rights under Section 1033 of the Dodd-Frank Act. The proposed rule would require financial institutions to provide consumers with financial account details including their transaction data upon request. The intention is to foster open and decentralized banking, to allow consumers to have more control over their financial data and to protect against misuse of the data. The proposal addresses the types of data that need to be made available upon request, standardization and security measures for data access, the transition away from screen scraping, and requirements aimed at ensuring that third parties act in the consumer’s interest. We anticipate that the CFPB will promulgate a finalized rule by fall 2024.
As the above developments suggest, data privacy and protection issues are becoming increasingly pervasive and increasingly complex. No matter what business you conduct or in which jurisdiction you operate, it is imperative to be up to date on all your data privacy policies and overall cybersecurity measures. Here’s to a safe and compliant 2024!
* States with Comprehensive Consumer Privacy Laws